Data protection

Data protection information

 

in accordance with Articles 13 and 14 of the GDPR

1. General

The protection of your personal data is very important to us. We therefore process your data exclusively in a lawful manner based on the statutory provisions (in particular GDPR, DSG 2018, TKG 2021). In this data protection information, we inform you about the most important aspects of data processing – the type, scope and purposes of the collection and use of personal data – in the context of the use of our website and in the context of other services provided by our company.

1.1. Responsible for processing your data

The controller (within the meaning of Article 4(7) of the GDPR) for the processing of your personal data (personal data within the meaning of Article 4(1) of the GDPR) is:

Hauptplatz 19

Mühlviertel Tourist Board
Hauptplatz 19
4190 Bad Leonfelden
Tel.: +43 (0)5 07263-100
E-Mail: unterweissenbach(at)muehlviertel.at

Data protection officer:
We take the protection of personal data seriously and have appointed an external data protection officer for this purpose. Our data protection officer is MMag. Martin Zeppezauer, Thurnbichlweg 50, A-6353 Going am Wilden Kaiser. (www.zepedes.com). You can contact our data protection officer at the following email address: martin(at)zepedes.com contact.


1.2. Purposes, categories of data and legal bases for the processing of personal data

Purposes of processing

The purposes of processing your personal data generally arise from our business activities as a tourism organisation: providing our online services, processing customer enquiries/orders/bookings, accounting, communication with business partners and customers. Detailed information on the purposes of processing and, where applicable, further processing for other compatible purposes, as well as on the categories of data processed, can be found in the detailed descriptions of the individual data processing procedures.

General data categories

  • Personal master data (e.g. name, date of birth and age, address)
  • Contact details (e.g. email address, telephone number, fax number)
  • Communication data (time and content of communication)
  • Order or booking data (e.g. goods ordered or services commissioned and invoice data such as service period, payment method, invoice date, tax identification number, etc.)
  • Payment data (e.g. account number, credit card details)
  • Contract data (contents of contracts of any kind)
  • Web usage data (e.g. server data, log files and cookies)
  • Geodata (e.g. app usage data)

Special categories of data (‘sensitive data’) pursuant to Art. 9 GDPR

  • Health data (only if you have provided us with this data by expressly consenting to the processing of your order (e.g. booking a hotel that specialises in guests with food intolerances or allergies))

Legal basis for processing

There is generally no obligation to provide the data described in this privacy policy. Failure to provide this data will simply mean that we cannot offer these services. The legal basis for the processing of your personal data, which is necessary for the fulfilment of a contract with you or an order you have placed with us, is Art. 6 (1) lit. b GDPR. Insofar as the processing of personal data is necessary for us to fulfil a legal obligation (accounting obligation, bookkeeping obligation or other legal documentation obligations), Art. 6 (1) lit. c GDPR serves as the legal basis. If the processing of the data is in your own vital interest, the legal basis for data processing is Art. 6 (1) lit. d GDPR. If we process your data to perform a task assigned to us in the public interest (‘sovereign action’), the legal basis is Art. 6 (1) lit. e GDPR. If processing is necessary to safeguard a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not outweigh our interest, Art. 6 (1) lit. f GDPR (‘legitimate interest’) serves as the legal basis for processing. In this case, we will also inform you about our legitimate interests. If we have no other legal basis for the processing of personal data as explained above, we will ask for your consent to the processing of data, in which case we will rely on Article 6 (1) lit. a GDPR or, in the case of the processing of sensitive data, Article 9 (2) lit. a GDPR as the legal basis. You can revoke this consent at any time free of charge without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

1.3. Data transfer to processors and third parties

We process your personal data with the support of processors who assist us in providing our services. These processors are bound by an agreement with us in accordance with Art. 28 GDPR to strictly protect your personal data and may not process your personal data for any purpose other than to provide our services. You can find out which processors are involved in the detailed descriptions of the individual data processing procedures.

Your personal data may be passed on to companies other than our processors, such as banks, tax advisors or auditors. Personal data will only be transferred to government institutions and authorities within the framework of mandatory national legislation.

Depending on your request (e.g. for bookings and enquiries), your personal data will only be transferred to the extent necessary to hotel partners or other tourism service providers (members of our organisation) who are required to fulfil your request. The personal data transferred varies depending on the service.

1.4. Transfers to third countries

We generally process your personal data within the EU. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using the services of our processors or third parties, this will only take place if the requirements of Art. 44 et seq. GDPR for transfers to third countries are met: i.e. on the basis of special guarantees, such as the officially recognised determination of a level of data protection equivalent to that of the EU, or in compliance with officially recognised contractual obligations, the so-called ‘EU standard contractual clauses’. If we refer to the EU standard contractual clauses as the legal basis for the transfer of your personal data, we will also check the admissibility of this data transfer as part of a comprehensive risk assessment. If we come to a negative conclusion, we will not transfer this data to a third country without your express consent in accordance with Art. 49 (1) (a) GDPR.

1.5. Data deletion and storage period

We will delete your personal data as soon as the purpose for which we collected it no longer applies. Storage may also take place if we process the data for a purpose compatible with the original purpose. It may also take place if this is required by laws, regulations or other provisions to which our company is subject.

1.6. Data sources

We generally collect your personal data from you yourself. We also receive personal data from some of our partners. You can find information on this in the respective detailed information in this data protection information.

1.7. Profiling

We do not use automated decision-making or profiling processes that have legal effects on you or similarly significantly affect you. However, with your consent, we will use your usage data to better understand your interests and thereby display information that is of interest to you, make you tailored offers, or display relevant information to you on third-party websites or social media platforms.

1.8. Protection of your data protection rights

In accordance with the GDPR, you have the right to information, correction, deletion and restriction of the processing of your personal data. If the legal basis for the processing of your personal data is your consent or a contract concluded with you, you also have the right to data portability. You have the right to withdraw any consent you may have given to the processing of your personal data. This does not affect the lawfulness of the processing of your personal data until the time of withdrawal. You have the right to object to the processing of your personal data for the purpose of direct marketing. In the event of an objection, your personal data will no longer be processed for the purpose of direct marketing. A detailed explanation of these rights can be found here in Chapter III.

Right to lodge a complaint

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can lodge a complaint with the competent supervisory authority. In Austria, this is the Data Protection Authority (Barichgasse 40-42, 1030 Vienna, email: dsb(at)dsb.gv.at).

2. Visiting our website

In this section, we inform you about how we process your personal data when you visit our website.

2.1. Presentation of the website

Server data

For technical reasons, based on the legal basis of Section 165 (3) sentence 3 TKG 2021 (required for the operation of our website), the following data, among other things, which your internet browser transmits to us or to our web space provider, is collected (so-called ‘server log files’):

  • Browser type and version
  • Operating system and device type used (e.g. desktop/mobile)
  • Website from which you visit us (referrer URL)
  • Website you visit
  • Date and time of your access
  • Your Internet Protocol address (IP address)

This data, which is anonymous to us, is stored separately from any personal data you may have provided and therefore does not allow us to draw any conclusions about a specific person. It is evaluated for statistical purposes in order to optimise our website and our offers.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from ‘http://’ to ‘https://’ or by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Technical service providers

We create and edit the content of our website with the help of the following service providers, whom we have obliged by means of a corresponding agreement within the meaning of Art. 28 GDPR to process your data exclusively within the scope of our order:

Technical design:

  • TTG Tourismus Technologie GmbH (Freistädter Str. 119, A-4040 Linz). For more information on data protection, please visit:https://www.ttg.at/datenschutz

Web hosting:

2.2. Cookies

Cookie banner – Cookies on our website – Consent management system

Our website uses cookies to help us make our website more user-friendly and efficient for you, to perform statistical analyses of the use of our website and to display content that may be of interest to you on other websites. Cookies are small text files that are used to store information during or about visits to websites and are stored on the website visitor's computer. The legal basis for cookies that are essential for the proper functioning of our website (e.g. shopping basket cookie) is Section 165 (3) S 3 TKG 2021. Cookies that are not necessary for the functioning of our website (e.g. analysis or marketing cookies) are deactivated and are only activated with your consent in accordance with Art. 6 (1) lit. a GDPR in our cookie banner (‘Accept’). By clicking on ‘Settings’, you can activate or deactivate individual cookies or cookie groups. If you restrict the use of cookies on our website, you may not be able to use all the functions of our website to their full extent. Detailed information about the cookies used on our website can be found in our cookie banner → see bottom right of the website -> Customise cookies.

The legal basis for the use of this cookie banner (consent management platform) to control and document your consent or settings regarding cookies and other tools requiring consent for access to our website is our legal obligation under Art. 6 (1) lit. c GDPR. When you access our website, a connection is established with the server of the provider of our cookie banner and a cookie is stored in your browser to save your cookie settings. The processed data is stored until the specified storage period expires or you delete these cookies.

We use the following cookie banner/provider:

• ‘Consent Management Platform TTG’ from TTG Tourismus Technologie GmbH (Freistädter Str. 119, A-4040 Linz). More information on data protection can be found at:https://www.ttg.at/datenschutz 

Changing cookie settings in your web browser

You can determine how your web browser handles cookies, i.e. which cookies are accepted or rejected, in your web browser settings. You can also delete cookies already stored on your computer/device at any time. The exact location of these settings depends on the web browser you are using. Detailed information on this can be found in the help function of the respective web browser.

 

In addition, you can generally object to cookies and similar tracking technologies via the services listed below by setting your individual preferences – which technologies you want to allow for usage- and interest-based advertising:

 

Changing the cookie settings in your web browser

You can determine how your web browser handles cookies, i.e. which cookies are accepted or rejected, in the settings of your web browser. You can also delete cookies already stored on your computer/device at any time. The exact location of these settings depends on the web browser you are using. Detailed information on this can be found in the help function of the respective web browser.

In addition, you can generally object to cookies and similar tracking technologies via the services listed below by setting your individual preferences – which technologies you want to allow for usage- and interest-based advertising:

2.3. Communication with us

Contact form and email

Our website offers you the option of contacting us by email and/or via a contact form. In this case, the information you provide will be processed for the purpose of handling your enquiry on the legal basis of contract performance in accordance with Art. 6 (1) lit. b GDPR. We have a legitimate interest pursuant to Art. 6 (1) lit. f GDPR in using a contact form. The legitimate interest lies in offering our website visitors a way to contact us that does not require them to open their own email client. There is no legal or contractual obligation to provide this personal data. Failure to provide this data will simply mean that you cannot submit your request and we cannot process it. Data will only be passed on to third parties if this is stated on the website or in this privacy policy, if it is necessary for the fulfilment of a contract, or if it is required by law. We only store your data for as long as is necessary to process your enquiries or for any follow-up questions.

2.4. Online shop(s)/booking portal(s)

For the purpose of providing contractual services and their payment and execution in the context of online purchases, bookings and brochure orders, we process your personal master data, contract and payment data as well as communication data (IP address and server log files) on the legal basis of Art. 6 (1) lit. b GDPR (contract fulfilment) and Art. 6 (1) lit. c GDPR (legal obligation to issue invoices and archive them).

We store this data for as long as the purpose requires, as stipulated by legal regulations (retention period for invoices in accordance with § 132 BAO for 7 years; voucher orders until the expiry of the redemption period for 30 years) or we need this data on the legal basis of Art. 6 (1) lit. f GDPR (legitimate interest) to defend against possible liability claims. If you cancel the order process, we will store the data for 14 days to clarify any possible problems during the order process.

There is no legal or contractual obligation to provide personal data. Failure to provide such data will simply mean that we cannot process your bookings/orders.

Feratel DESKLINE Online bookings, booking enquiries and brochure orders

We process your personal data for the purpose of processing online bookings, brochure orders and enquiries so that we can provide you with the services you have booked with the help of our service provider feratel Media Technologies AG (Maria-Theresien-Straße 8, A-6020 Innsbruck). To this end, we store and process inventory data, communication data, contract data and payment data of our customers, interested parties and other business partners. Processing is carried out for the purpose of providing contractual services or fulfilling pre-contractual services on the basis of the legal principles of Art. 6 (1) (b) GDPR (booking transactions, responding to enquiries and sending brochures) and Art. 6 (1) (c) GDPR (statutory retention periods for bookings and invoices). The data fields marked as required are necessary for the establishment and fulfilment of the contract. WWe disclose your personal data to third parties (hotel partners or other tourism service providers) within the scope of this data processing on the legal basis of Art. 6 (1) lit. b GDPR (if it is necessary for processing a booking) or on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR for the use of appropriate booking software. We have concluded a corresponding agreement with the company feratel pursuant to Art. 28 GDPR as a processor, which ensures that your data will only be processed within the scope of our order. Further information on data protection at feratel can be found at:  https://www.feratel.com/datenschutz.html.

External payment service providers

For the payment of orders/bookings, we use external payment service providers on the legal basis of Art. 6 (1) lit. b GDPR (contract fulfilment), via whose platforms you can make your payments. The payment details you enter when placing your order (e.g. account numbers, credit card numbers including verification codes, passwords/TANs, etc.) are processed exclusively by our payment service providers and are not visible to us. We only receive confirmation of the payment made or information that the payment could not be executed via our payment service providers. Further information on data protection and the terms and conditions of our payment service providers can be found at:

• Datatrans AG, Kreuzbühlstrasse 26, CH-8008 Zurich.

Tel. +41 44 256 81 91
E-Mail: info(at)datatrans.ch 
https://www.datatrans.ch/de/datenschutzbestimmungen/ 
• Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
E-Mail: support(at)stripe.com 
https://stripe.com/at/privacy 
• ETRON Pay, Pottendorfer Straße 23/2/3B, A-1120 Wien
Tel. +43 1 904 21 09
E-Mail: office(at)etron.at 
 

2.5. Email newsletter

Email newsletter (TTG)

You can register for our newsletter on our website. The legal basis for sending the newsletter is your consent within the meaning of Art. 6 (1) lit. a GDPR. Registration for our newsletter is carried out using the double opt-in procedure. This ensures that no one can register with someone else's email address (e.g. your email address). You can revoke your consent at any time free of charge by clicking on the ‘Unsubscribe’ link at the end of each newsletter. The legality of the data processing operations that have already taken place up to that point remains unaffected by the revocation. After you have unsubscribed, we will continue to store your email address for 3 years on the basis of our legitimate interest (Art. 6 (1) lit. f GDPR) in order to be able to prove your original consent if necessary. We use the service provider TTG Tourismus Technologie GmbH (Freistädter Str. 119, A-4040 Linz) to send out our newsletter. With the help of TTG, we can analyse our newsletter campaigns.When an email sent using the TTG newsletter tool is opened, a connection is established with the TTG servers (server location: Linz, Austria). This allows us to determine whether a newsletter message has been opened and which links, if any, have been clicked on. The purpose of these analyses is to better tailor future newsletters to the interests of the recipients. In addition, technical information such as the time of retrieval, the IP address, browser type and operating system of the recipient are recorded. We have concluded a data processing agreement with TTG within the meaning of Art. 28 GDPR to ensure that your data is only processed to the extent desired by us and permitted by you. General data protection information from TTG at: https://www.ttg.at/datenschutz/.

2.6. Web analysis – statistical analyses of our website

Google Tag Manager

We use the service provided by Google Ireland Limited (‘Google’) (Gordon House, Barrow Street, Dublin 4, Ireland) to manage website tags via a shared tool. The Google Tag Manager tool itself (which implements the tags) is a domain that does not set cookies and does not collect any personal data. The tool triggers other tags, which may collect data. Google Tag Manager does not access this data. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for data transfers to the US (at least in some cases) is therefore an adequacy decision by the European Commission within the meaning of Art. 45 (3) GDPR, in which the European Commission certifies that the US has an adequate level of data protection. Further information on data protection at Google can be found at: https://www.google.com/policies/privacy/. More information about how Google uses personal data: https://business.safety.google/privacy/. 

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited (‘Google’) (Gordon House, Barrow Street, Dublin 4, Ireland). The legal basis for the use of this service is your consent in accordance with Art. 6 (1) lit a GDPR. Google Analytics uses cookies that are stored on the website visitor's computer and enable an analysis of the visitor's use of our website. The information generated by the cookie about your use of our website is usually stored on European servers and only in exceptional cases is it transferred to a Google server in the USA and stored there. We use Google Analytics with IP anonymisation enabled. This means that your IP address is usually truncated by Google within the European Union and only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for data transfers to the USA (at least in some cases) is therefore an adequacy decision by the European Commission within the meaning of Art. 45 (3) GDPR, whereby the European Commission certifies that the USA has an adequate level of data protection. The IP address transmitted by the relevant browser within the framework of Google Analytics is not merged with other Google data.On our behalf, Google will use the information collected to evaluate the use of the website and to compile reports on website activity. Collection by Google Analytics can be prevented by adjusting the cookie settings for this website. The collection and storage of the IP address and the data generated by cookies can also be revoked at any time with future effect. The corresponding browser plugin can be downloaded and installed at the following link: https://tools.google.com/dlpage/gaoptout.User data is stored for 14 months. Further information on data usage by Google, settings and options for objection can be found in Google's privacy policy. (https://policies.google.com/privacy) as well as in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated). More information about how Google uses personal data: https://business.safety.google/privacy/. 

 

2.7. Integration of additional third-party services and content

We integrate third-party content and functions into our website. This always requires that the providers of this content or these functions recognise the IP address of the users (website visitors). Without the IP address, they would not be able to send the content to the browser of the respective user. The IP address is therefore necessary for the display of this content. We endeavour to use only content whose respective providers use the IP address solely for the delivery of the content. However, we have no influence on whether third-party providers store the IP address for statistical purposes, for example. The legal basis for the use of these services, insofar as they are necessary for the functioning of our website, is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, otherwise your consent pursuant to Art. 6 (1) lit. a GDPR. Information on the purpose and scope of further processing and use of the data by the providers of the embedded services/content, as well as further information within the meaning of Articles 13 and 14 GDPR, can be found under the information links below. The following services/content are included in

destination.one Maps

We use the ‘destination.one’ service provided by neusta destination.one GmbH (Münchenerstraße 1, D-86899 Landsberg am Lech) to display accommodation providers in our region on a map. To do this, the map material is loaded from the destination.one server. The following data is transferred to destination.one: the page visited on our website, the IP address of your device, the content of the request, location data, operating system, and language and version of the browser software. destination.one uses cookies stored on your browser to evaluate your request. The legal basis for the processing of your data is Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest lies in the appealing presentation of our online offering and the geographical presentation of the offerings in our region. In the case of location data from mobile devices, the legal basis is your consent in accordance with Art. 6 (1) lit. a GDPR, in that you approve the transfer of location data on your mobile device. Further information on data protection at destination.one can be found at: https://www.destination.one/datenschutz/. 

Captcha.eu (spam protection)

To protect your orders via the online form, we use the Captcha.eu service from Captcha GmbH (Muthgasse 2, A-1190 Vienna) on our website. This allows us to protect our website and its visitors from misuse, bots and spam. Captcha.eu checks whether entries in our forms (e.g. enquiry form, brochure order, etc.) are made by humans or whether programmes (bots) are used for this purpose. To do this, it is necessary to collect the following data and transmit it to Captcha.eu in order to check whether the entry is made by a human or a bot: Your IP address (which is shortened before being stored and can no longer be traced back to you), referrer website (the website from which you were linked to our website), device and browser type of your PC/tablet/smartphone, cookie or local storage value (remains on your device) and, in particular, mouse movements and time intervals between keystrokes. We use Captcha.eu on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest lies in protecting our website and our website visitors from misuse and spam. According to Captcha.eu, the processed data is stored for a maximum of 6 months. Further information on data protection at Captcha.eu can be found at: https://www.captcha.eu/dsgvo-user.

YouTube

We embed videos from the YouTube platform provided by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) in extended data protection mode. Implementation is based on Art. 6 (1) lit. f GDPR, whereby our interest lies in the smooth integration of the videos and the appealing design of our website. However, we only use YouTube if you have given your consent. The legal basis for the processing of your data is therefore your consent in accordance with Art. 6 (1) lit. a GDPR, which you can revoke at any time for the future. When you visit a page on which we have embedded a YouTube video, a connection to the Google servers is established and the content is displayed on the website by notifying your browser. According to Google, in extended data protection mode, your data (in particular which of our websites you have visited) and device-specific information, including your IP address, will only be transmitted to the YouTube server when you watch the video. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for data transfers to the USA (at least in individual cases) is therefore an adequacy decision by the European Commission within the meaning of Art. 45 (3) GDPR, whereby the European Commission certifies that the USA has an adequate level of data protection. If you are logged in to Google at the same time, this information will be associated with your Google member account. You can prevent this by logging out of your member account before visiting our website or by adjusting your individual settings in your Google account at the following link: https://adssettings.google.com/authenticated. Further information on YouTube's data protection policy can be found at: https://www.google.com/policies/privacy/. More information about how Google uses personal data: https://business.safety.google/privacy/.

Webcams

We integrate webcams from other websites of providers in our region into our website to show the current weather in our region. The implementation is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, whereby our interest lies in providing information about the current weather in our region on our website. When you visit a page on which we have embedded webcams, a connection to the providers' servers is established and the content is displayed on the website by sending a message to your browser. For this purpose, it is necessary to transmit your IP address, along with some browser information (browser type, browser version, etc.) and information about when you accessed these pages, to the providers' servers.

3. Other data processing in business contact

Further information on our other data processing procedures in business and customer contact can be found in the data protection information on our main website.www.muehlviertel.at

Current version of the data protection information dated 26 February 2025